Telephone Oriented Attack Delivery (TOAD) and Strategies to Counter It
Callback phishing, or TOAD, cunningly lures potential victims to call phone numbers, typically linked to deceptive call centres. These calls create an environment that can trick unsuspecting individuals into installing remote access tools or malware on their systems.
By Daniel Kelley
Jul 21, 2023 18:00 pm
Overview of Telephone Oriented Attack Delivery (TOAD)
This blog post aims to provide insight into TOAD. We will explore what TOAD entails, how it works, and how it differs from traditional spam and phishing that we're accustomed to, as well as real-life examples. Lastly, we'll discuss a few tips to mitigate the risks associated with TOAD.
An Illustrative Example of a TOAD Attack
Callback phishing, or TOAD, cunningly lures potential victims to call phone numbers, typically linked to deceptive call centres. These calls create an environment that can trick unsuspecting individuals into installing remote access tools or malware on their systems. Let's consider an example to illustrate how this works:
- The Phishing Email: A user receives an email that seems to originate from a credible source, such as Amazon or PayPal.
- The Invoice: Within this email, there is an invoice for a large purchase the user does not remember making. The invoice, while counterfeit, is meticulously designed to mirror a legitimate one.
- Raising Suspicion: The unexpected invoice naturally stirs suspicion or causes confusion in the recipient. There are no hyperlinks to click or attachments to download – a departure from traditional phishing and spam emails.
- The Call: Instead, the email prompts the recipient to call a customer service number (typically US-based) if they have any questions or concerns about the invoice. Motivated by concern, the user decides to call the number provided.
- The Trick: Answering the call is a fraudster, not a customer service representative from the alleged company. They assure the user that they can help resolve the issue, but they'll need access to the user's system to do so. They instruct the user to download and install a "support tool" which, in reality, is remote access malware.
- The Aftermath: Once installed, the malware provides the fraudster with unmitigated access to the victim's system, exposing sensitive information and further potential for exploitation. This technique distinguishes itself from conventional phishing and spam emails. While all these tactics rely on social engineering, TOAD employs direct human interaction over phone calls, which introduces a layer of unpredictability and is more challenging to control compared to the mostly digital strategies used in traditional phishing emails.
However, it should be noted that the attacker doesn't always connect directly to the potential victim's machine to install malware or steal data. They've been observed instructing the user to visit a webpage where malware like BazaLoader is used as a dropper to install different types of malware.
Callback Phishing and TOAD Campaigns
Over the years, attackers have adopted TOAD in large-scale campaigns to infect potential victims. Below are two notorious examples:
- Luna Moth Callback Phishing Campaign: Luna Moth (also known as the "Silent" ransomware group) uses callback phishing to pilfer sensitive data from victim organisations, which is then used for extortion.
- The BazaCall TOAD Campaign: This campaign uses BazarLoader malware, sending emails pretending to be from a subscribed service. The emails instruct users to call a number to manage their subscription. The fraudsters impersonate customer service agents and guide the callers to download the BazarLoader malware, gaining control over the user's system.
The primary driving force behind most of these campaigns is financial gain. Attackers are not typically interested in the specific contents of a victim's data or systems, but in what they can leverage for monetary benefit.
Cybersecurity Awareness: A Primary Defence
It's important to note that cybersecurity awareness is the primary defence against this type of attack.
- Be suspicious of and avoid responding to unsolicited emails, phone calls or other types of communication.
- Double-check the authenticity of any invoices or payment requests by contacting the relevant company directly, preferably through a verified contact method.
- Consult official support documentation and resources for assistance before seeking help from third-party sources or unofficial channels.
Conclusion: The Foreseeable Future of TOAD Attacks
Keepnet Labs expects attacks that use TOAD to increase because they are cheap, hard to detect and can be used to make money quickly. Although initially only groups with experience in handling incoming calls and identifying sensitive data will pose a threat, the low barrier of entry means that many more attackers may start using this method in the future.